We would like to keep you up to date with the latest news from Digitalisation World by sending you push notifications.
Digital Newsletter
Each week our editor Phil Alsop rounds up the most popular articles, videos and expert opinions. We compile this into a Digital Newsletter and send it straight to your inbox every week.
Digital Magazines
We'll let you know each time a new edition of Digitalisation World is released so that you're always kept up-to-date with the latest and greatest news and press releases.
Video Magazines
The Digitalisation World Video magazine contains the latest Zoom interviews with experts in the industry.
THE TIME OF YEAR where thousands of young people descend on new towns and cities across the country to begin their university careers is upon us again. While these students may spend their first few weeks more concerned with the location of the nearest bar than the library, a time will come when they will be accessing a whole host of systems from a whole host of devices.
The 2012/2013 school year saw 2,340,275 students enrolled at universities across the UK1, while campuses across the country also employed 382,515 members of staff2. Each of these individuals is likely to be connecting to their universities’ network from at least one device (probably more) and, as such, a vast amount of traffic is crossing the infrastructure.
Traditionally, university networks have been relatively open – in comparison to financial or governmental institutions – given the vast number of people that require access. What is more, phishing attacks through social media, infected mobile applications and so on, are fairly easy ways to get through the somewhat weak defences, particularly where students are concerned. As such, universities require a security solution that will allow them to permit legitimate users free access, yet identify and prevent rogue attacks. One university that identified this as an issue, and found the right solution to the problem, was the University of Glasgow.
The University of Glasgow has more than 20,000 students and 6,000 members of staff. As one of the UK’s leading research centres and a member of the prestigious Russell Group universities, it contributes to research programmes with a global impact, in fields that range from the rapid detection of malaria to the biggest particle physics experiment in the world – the Large Hadron Collider.
The increasing cyber threat
Like all large institutions, the University of Glasgow needs to protect itself against the ever-increasing rise in cyber security threats and has traditionally used an Intrusion Detection System (IDS) to alert it to potential threats. However, with 30,000 users on the network, it was facing a huge problem of scale.
As Chris Edwards, information security coordinator at the university, said, “The cyber criminals will keep upping their game and it’s up to us to keep pace with them. Using IDS to monitor our network traffic is similar in many ways to using an antivirus programme on a PC, but we have to able to do this concurrently for 30,000 users. This means we have to monitor huge volumes of internet traffic.”
The university had been using a mirrored port on one of its internet gateway routers, which fed its IDS, but it was limited to 1Gb of traffic. As internet traffic grew to tens of gigabits per second, this port was only able to monitor a fraction of the overall capacity and it became less and less probable that the system would identify malware or cyber attacks.
The problem couldn’t be resolved by simply adding multiple mirrored router ports because the algorithms within the routers only allow traffic to be mirrored to a single port, rather than spread across several ports. That meant the only way to scale the existing IDS would be to mirror all the traffic to a single port running faster than 10Gb. Even if this had been viable by, for example, putting in expensive new gateway routes, the IDC servers could only support 1Gb interfaces, so they couldn’t have received information at this higher rate.
Granular visibility
The University of Glasgow looked at a wide range of possible solutions before being introduced to Gigamon by systems integrator Synetix Solutions. The university was impressed by the Gigamon solution’s 10Gb capability – which also allowed plenty of headroom for future growth. It was also drawn to the granularity of Gigamon’s hardware based filtering as it would allow it to select only the traffic it needed to send to the IDS – as well as the fact that it was cost-effective and included platforms at the right scale. Using Gigamon’s G-TAP optical traffic splitters, the university began to mirror all external internet traffic through its ability to duplicate traffic passing over the 10Gb links, Gigamon’s hardware-based, patented Flow Mapping technology then isolates the traffic that needs to be sent to the IDS.
“We could send all our traffic to the IDS servers, but the Gigamon system has allowed us to be much more efficient and isolate only the traffic that we’re really interested in”, said Edwards. “For example, we might be sending some massive date files from the Large Hadron Collider project – which we know we can trust and might be too large for our IDS servers to analyse. We can use the Gigamon systems to filter this traffic out based on source and destination addresses, and significantly reduce the load on the IDS servers. When new sources come online, it’s an easy process to exclude the ones we aren’t interested in.”
The university can now monitor all of the traffic coming across its 10Gb internet links and, as the system is fed from an optical splitter, the original mirror port on the router has been freed up for other purposes. It has also been possible for it to reuse existing network monitoring and measuring equipment, as the Gigamon systems can pre-filter the traffic that the existing tools are exposed to.
The Gigamon platform also performs a load balancing function to share the traffic across multiple 1Gb ports on the IDS servers, using IP addressing to share the load evenly. This means the university can spread the IDS function across multiple cost-effective Linux servers, rather than having to invest in new, high-end, higher bandwidth hardware.
Edwards continued, “The network traffic continues to grow, but now we can detect malware and attacks even better than we did before. I’d advise anyone in a similar position to talk to other similar organisations to see how they’ve resolved this problem. We’ll certainly be sharing our experiences around other UK universities.”
Reference
1. https://www.hesa.ac.uk/stats
2. https://www.hesa.ac.uk/index.php?option=com_content&view=article&id=1898&Itemid=239
